You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/08/03 07:25:14 UTC

[GitHub] [pulsar] nodece opened a new pull request, #16924: [improve][doc] Improve TLS transport encryption and authentication

nodece opened a new pull request, #16924:
URL: https://github.com/apache/pulsar/pull/16924

   Signed-off-by: Zixuan Liu <no...@gmail.com>
   
   ### Motivation
   
   #16833 and #15634 improve the TLS transport encryption configuration. We need to import the TLS transport encryption and authentication documentation. 
   
   ### Documentation
   
   Check the box below or label this PR directly.
   
   Need to update docs? 
   
   - [ ] `doc-required` 
   (Your PR needs to update docs and you will update later)
     
   - [ ] `doc-not-needed` 
   (Please explain why)
     
   - [x] `doc` 
   (Your PR contains doc changes)
   
   - [ ] `doc-complete`
   (Docs have been already added)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on a diff in pull request #16924: [improve][doc] Improve TLS transport encryption and authentication

Posted by GitBox <gi...@apache.org>.

nodece commented on code in PR #16924:
URL: https://github.com/apache/pulsar/pull/16924#discussion_r936534757


##########
site2/docs/security-tls-transport.md:
##########
@@ -28,7 +28,7 @@ For TLS transport encryption, the clients can use the **trust cert** to verify t
 
 For TLS authentication, the server uses the **trust cert** to verify that the client has a key pair that the certificate authority signed. The common name of the **client cert** is then used as the client's role token (see [Overview](security-overview.md)).
 
-`Bouncy Castle Provider` provides cipher suites and algorithms in Pulsar. If you need [FIPS](https://www.bouncycastle.org/fips_faq.html) version of `Bouncy Castle Provider`, please reference [Bouncy Castle page](security-bouncy-castle.md).
+In Pulsar, we are using [netty-tcnative](https://github.com/netty/netty-tcnative) and [Conscrypt](https://github.com/google/conscrypt) as security provider. We have two format certificates, Java KeyStore(JKS) and CAcerts. When using the JKS, we choose the Conscrypt, this applies to Broker service and Web service. When using the CAcerts on the broker service, we choose the netty-tcnative, which includes two implementations, OpenSSL and JDK, which default to OpenSSL, when the OpenSSL is unavailable, we switch to the JDK.

Review Comment:
   @momo-jun Thanks! Done.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] momo-jun commented on a diff in pull request #16924: [improve][doc] Improve TLS transport encryption and authentication

Posted by GitBox <gi...@apache.org>.

momo-jun commented on code in PR #16924:
URL: https://github.com/apache/pulsar/pull/16924#discussion_r936346988


##########
site2/docs/security-tls-transport.md:
##########
@@ -28,7 +28,7 @@ For TLS transport encryption, the clients can use the **trust cert** to verify t
 
 For TLS authentication, the server uses the **trust cert** to verify that the client has a key pair that the certificate authority signed. The common name of the **client cert** is then used as the client's role token (see [Overview](security-overview.md)).
 
-`Bouncy Castle Provider` provides cipher suites and algorithms in Pulsar. If you need [FIPS](https://www.bouncycastle.org/fips_faq.html) version of `Bouncy Castle Provider`, please reference [Bouncy Castle page](security-bouncy-castle.md).
+In Pulsar, we are using [netty-tcnative](https://github.com/netty/netty-tcnative) and [Conscrypt](https://github.com/google/conscrypt) as security provider. We have two format certificates, Java KeyStore(JKS) and CAcerts. When using the JKS, we choose the Conscrypt, this applies to Broker service and Web service. When using the CAcerts on the broker service, we choose the netty-tcnative, which includes two implementations, OpenSSL and JDK, which default to OpenSSL, when the OpenSSL is unavailable, we switch to the JDK.

Review Comment:
   ```suggestion
   Pulsar uses [netty-tcnative](https://github.com/netty/netty-tcnative) and [Conscrypt](https://github.com/google/conscrypt) as security providers. There are two certificate formats: 
   * Java KeyStore(JKS): Pulsar uses Conscrypt by default for both broker service and Web service. 
   * CAcerts: Pulsar uses netty-tcnative by default, which includes two implementations, OpenSSL (default) and JDK. When OpenSSL is unavailable, JDK is used.
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] momo-jun commented on a diff in pull request #16924: [improve][doc] Improve TLS transport encryption and authentication

Posted by GitBox <gi...@apache.org>.

momo-jun commented on code in PR #16924:
URL: https://github.com/apache/pulsar/pull/16924#discussion_r939787187


##########
site2/docs/security-tls-transport.md:
##########
@@ -144,6 +146,46 @@ openssl ca -config openssl.cnf -extensions server_cert \
 
 At this point, you have a cert, `broker.cert.pem`, and a key, `broker.key-pk8.pem`, which you can use along with `ca.cert.pem` to configure TLS transport encryption for your broker and proxy nodes.
 
+### Client certificate
+
+1. Enter the command below to generate the key.
+
+```bash
+
+openssl genrsa -out client.key.pem 2048
+
+```
+
+The client expects the key to be in [PKCS 8](https://en.wikipedia.org/wiki/PKCS_8) format, so enter the following command to convert it.
+
+```bash
+
+openssl pkcs8 -topk8 -inform PEM -outform PEM \
+      -in client.key.pem -out client.key-pk8.pem -nocrypt
+
+```
+
+2. Enter the following command to generate the certificate request.
+
+```bash
+
+openssl req -config openssl.cnf \
+    -key client.key.pem -new -sha256 -out client.csr.pem
+
+```
+
+3. Sign it with the certificate authority by entering the command below.
+
+```bash
+
+openssl ca -config openssl.cnf -extensions client_cert \
+    -days 1000 -notext -md sha256 \
+    -in client.csr.pem -out client.cert.pem
+
+```
+
+At this point, you have a cert, `client.cert.pem`, and a key, `client.key-pk8.pem`, which you can use along with `ca.cert.pem` to configure TLS transport encryption for your client.

Review Comment:
   ```suggestion
   At this point, you have a cert `client.cert.pem` and a key `client.key-pk8.pem`, which you can use along with `ca.cert.pem` to configure TLS encryption for your client.
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] momo-jun commented on a diff in pull request #16924: [improve][doc] Improve TLS transport encryption and authentication

Posted by GitBox <gi...@apache.org>.

momo-jun commented on code in PR #16924:
URL: https://github.com/apache/pulsar/pull/16924#discussion_r939787371


##########
site2/docs/security-tls-authentication.md:
##########
@@ -124,15 +117,10 @@ When you use TLS authentication, client connects via TLS transport. You need to
 
 [Command-line tools](reference-cli-tools.md) like [`pulsar-admin`](/tools/pulsar-admin/), [`pulsar-perf`](reference-cli-tools.md#pulsar-perf), and [`pulsar-client`](reference-cli-tools.md#pulsar-client) use the `conf/client.conf` config file in a Pulsar installation.
 
-You need to add the following parameters to that file to use TLS authentication with the CLI tools of Pulsar:
+You need to add the following parameters to that file to use TLS authentication with the CLI tools of Pulsar, alongside [the configuration to enable tls transport](security-tls-transport.md#cli-tools):

Review Comment:
   ```suggestion
   To use TLS authentication with the CLI tools of Pulsar, you need to add the following parameters to the `conf/client.conf` file, alongside [the configuration to enable TLS transport](security-tls-transport.md#cli-tools):
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece merged pull request #16924: [improve][doc] Improve TLS transport encryption and authentication

Posted by GitBox <gi...@apache.org>.

nodece merged PR #16924:
URL: https://github.com/apache/pulsar/pull/16924


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] momo-jun commented on a diff in pull request #16924: [improve][doc] Improve TLS transport encryption and authentication

Posted by GitBox <gi...@apache.org>.

momo-jun commented on code in PR #16924:
URL: https://github.com/apache/pulsar/pull/16924#discussion_r936346988


##########
site2/docs/security-tls-transport.md:
##########
@@ -28,7 +28,7 @@ For TLS transport encryption, the clients can use the **trust cert** to verify t
 
 For TLS authentication, the server uses the **trust cert** to verify that the client has a key pair that the certificate authority signed. The common name of the **client cert** is then used as the client's role token (see [Overview](security-overview.md)).
 
-`Bouncy Castle Provider` provides cipher suites and algorithms in Pulsar. If you need [FIPS](https://www.bouncycastle.org/fips_faq.html) version of `Bouncy Castle Provider`, please reference [Bouncy Castle page](security-bouncy-castle.md).
+In Pulsar, we are using [netty-tcnative](https://github.com/netty/netty-tcnative) and [Conscrypt](https://github.com/google/conscrypt) as security provider. We have two format certificates, Java KeyStore(JKS) and CAcerts. When using the JKS, we choose the Conscrypt, this applies to Broker service and Web service. When using the CAcerts on the broker service, we choose the netty-tcnative, which includes two implementations, OpenSSL and JDK, which default to OpenSSL, when the OpenSSL is unavailable, we switch to the JDK.

Review Comment:
   ```suggestion
   Pulsar uses [netty-tcnative](https://github.com/netty/netty-tcnative) and [Conscrypt](https://github.com/google/conscrypt) as security providers. There are two certificate formats: 
   * Java KeyStore(JKS): When using JKS, you can choose Conscrypt, which applies to both broker service and Web service. 
   * CAcerts: When using CAcerts for broker service, you can choose netty-tcnative, which includes two implementations, OpenSSL (default) and JDK. When OpenSSL is unavailable, JDK is used.
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on pull request #16924: [improve][doc] Improve TLS transport encryption and authentication

Posted by GitBox <gi...@apache.org>.

nodece commented on PR #16924:
URL: https://github.com/apache/pulsar/pull/16924#issuecomment-1208355038

   Thank @momo-jun for your review! Could you review this again?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] momo-jun commented on a diff in pull request #16924: [improve][doc] Improve TLS transport encryption and authentication

Posted by GitBox <gi...@apache.org>.

momo-jun commented on code in PR #16924:
URL: https://github.com/apache/pulsar/pull/16924#discussion_r936346988


##########
site2/docs/security-tls-transport.md:
##########
@@ -28,7 +28,7 @@ For TLS transport encryption, the clients can use the **trust cert** to verify t
 
 For TLS authentication, the server uses the **trust cert** to verify that the client has a key pair that the certificate authority signed. The common name of the **client cert** is then used as the client's role token (see [Overview](security-overview.md)).
 
-`Bouncy Castle Provider` provides cipher suites and algorithms in Pulsar. If you need [FIPS](https://www.bouncycastle.org/fips_faq.html) version of `Bouncy Castle Provider`, please reference [Bouncy Castle page](security-bouncy-castle.md).
+In Pulsar, we are using [netty-tcnative](https://github.com/netty/netty-tcnative) and [Conscrypt](https://github.com/google/conscrypt) as security provider. We have two format certificates, Java KeyStore(JKS) and CAcerts. When using the JKS, we choose the Conscrypt, this applies to Broker service and Web service. When using the CAcerts on the broker service, we choose the netty-tcnative, which includes two implementations, OpenSSL and JDK, which default to OpenSSL, when the OpenSSL is unavailable, we switch to the JDK.

Review Comment:
   ```suggestion
   Pulsar use [netty-tcnative](https://github.com/netty/netty-tcnative) and [Conscrypt](https://github.com/google/conscrypt) as security providers. There are two certificate formats: 
   * Java KeyStore(JKS): When using JKS, you can choose Conscrypt, which applies to both broker service and Web service. 
   * CAcerts: When using CAcerts for broker service, you can choose netty-tcnative, which includes two implementations, OpenSSL (default) and JDK. When OpenSSL is unavailable, JDK is used.
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org